Allow access to WMS

In this tutorial, you will learn how to use security.manager for OGC to allow access to the WMS https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WMSServer for everyone. Further restrictions on access to services will be explained in the following tutorials.

Configure the service

In the server-config.json, all services whose access is to be secured by security.manager for OGC are listed. During installation, you created this file in the directory ${user.home}/.secman-ogc. You can add additional services to the services array in this file.

To allow access to the WMS, open the server-config.json. Add the following entry to the services section:

${user.home}/.secman-ogc/server-config.json

{
  "server": {
    "host": "https://services.conterra.de",
    "services": [
      {
        "path": "/arcgis/services/common/grenzen/MapServer/WMSServer",
        "type": "WMS"
      }
    ]
  }
}

This access must now be defined in more detail. To do this, create a file policies-grenzen-wms.json in the folder ${user.home}/.secman-ogc/policies. Reference this file in the server-config.json by extending the entry for the WMS as follows:

${user.home}/.secman-ogc/policies/server-config.json

{
  "server": {
    "host": "https://services.conterra.de",
    "services": ,
        "policy-ref": "policies-grenzen-wms"
      }
    ]
  }
}

Define policies

In the policies-grenzen-wms.json you just created, all policies for the WMS are defined. In this tutorial, the service should be accessible to everyone.

Open the policies-grenzen-wms.json and enter the following:

${user.home}/.secman-ogc/policies/policies-grenzen-wms.json

{
  "policies": [{
    "layers": ["*"],
    "roles": ["enhancedSecurity_any"]
  }]
}

In this policy:

"roles": ["enhancedSecurity_any"] defines access for everyone, and
"layers": ["*"] defines access to all layers.

Restart Tomcat

To apply the changes, security.manager for OGC must be restarted. Restart Tomcat to do this.

Verify configuration

The WMS is now available at localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WMSServer according to the policy for everyone. Compare the capabilities of the two services:

the target service: https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WMSServer?request=GetCapabilities&service=WMS
the protected service: http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WMSServer?request=GetCapabilities&service=WMS

You can see that the capabilities of both services are almost identical, except that links to services.conterra.de have been replaced with localhost:8080/secman-ogc.